Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

ya, it is much better to trust your most secret internal documents to random third party "businessmen" over in whoknowswhereistan after you got *owned*

No it isn't. How old are you? Have you ever worked in anything other than McDonalds? Company Confidentiality is essential for running a business. It's also a legal requirement in the case of HR records. Uploading particualar records to Google would breach numerous laws and could get you closed down.

Isn't it more likely the sales patter for Office 2007 will become of course, if you were using our latest version...?Not that I'm suggesting Microsoft engineered it, mind... but it might not be as bad for them as seems initially

I met a college student last year who writes all of her papers in Adobe Photoshop. She just sets up 300dpi pages and types all the text into text boxes. That way she could make pretty photographic backgrounds. And there are NO security issues!

I initially thought about using OpenOffice; I think it's probably the best solution overall, since it's free and you can get it right now. But let's say you absolutely need to work in Word -- how can you make sure that a document is safe?If you opened a document in OO, and then saved it, would the resulting document be guaranteed to be clean? What if you saved it as an RTF and then opened that back up in Word? That would probably lose a lot of people's fancy formatting, but it would preserve most of the con

Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources.

The point is that there is a danger that a trojan on someone else's machine could start spreading infected Word files inside a corporation, or just amongst friends. Note furthermore:

The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

It can't be triggered automatically, and limited accounts (like every Vista system) will be largely unaffected. (Because exploits will usually try to root the box or install something, both of which will be prevented.)

Also observe that Office 2007 isn't affected. Obviously MS is doing something right in the next generation of their products.

Putting aside your Microsoft fanboy attitude of 'oh just buy the next version and all will be well!' lets look at this objectively. And for the sake of being kind I wont go into details of how painful this will be for business in general; Sticking to the simple points will do just find to point out how horrible this is.

> Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources.

Now you sound new to the world of tech as you haven't been embittered against Microsoft so I'll give you a break on this one. End users have two types of authentication; 'This looks shiny' *click* and 'Oh I know this person' *click*. So in reality the summary is an effective warning and really if some one in a business gets a document saying AccountsNov06.doc who is to say it is expected or unexpected - some one sent you the accounts and a nice little social engineering spiel to lure you to the click. Yes boss, three bags full boss.

> The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

> It can't be triggered automatically, and limited accounts (like every Vista system) will be largely unaffected. (Because exploits will usually try to root the box or install something, both of which will be prevented.)

See previous post about *clicky*. If you boss tells you to deal with AccountsNov06.doc then you deal with AccountsNov06.doc and that usually, if I'm not mistaken, involves opening it for a start. Also largely unaffected; what does that really mean? There will be a box come up saying 'Click me like you usually do as I get in the way of every simple task' because let me tell you as a system administrator even I started clicking them without thinking after two hours of testing Vista. Finally on this topic users who have limited accounts is a joke - even with your AD locking down almost all of the system most places still allow execution of applications and scripts which may have decent root kitting abilities that bypass user rights - only high schools and net cafes go the whole nine yards.

And lastly you have the gem of saying Microsoft is great because their next product line isn't affected. I think the parent to this post addressed this point perfectly with the following:

> You mean like not releasing them yet?

Which points out the flaw in your argument very nicely. Still it is worth expanding for those unfamiliar with Office 2k7 in that a) it implements a new XML document format which has nothing to do with.doc so isn't affected and b) they have time to fix their.doc filter layer so this doesn't happen in the wild under 2k7 - in fact I'd almost wager a decent price that the current release of Office 2k7 floating around the MS offices has the flaw and if it doesn't I'd be raising questions that this was a stunt to force upgrades and kill off.doc faster.

Either way before you mouth off at Slashdot consider the topic and its implications to users and business first; there are many real Slashdot exaggerations that are stabs at Microsoft and this isn't one of them. Some times it is apt to say that Microsoft really did drop the ball.

Both of your examples are the same thing; Preschool children by definition have the mental capacity of preschool children. In any case I stand by my claim which is based on several years of observation of this very problem as I wanted to see how they could fail so badly at basic authentication and fall for scams/spams/etc.

Also it is nice that you have time and the interest to educate your clients and I commend you (please assume no sarcasm in that line). Unfortunately as per a generalisation I do not believe your case is common and then of no important to the claim. Also many sys admins are in the added disadvantage that those who break the system are equal to them in standing and prefer to run their own affairs as they are 'grown ups who can tell the difference between right and wrong'...And seriously what can you say against that? While I will say they are pre-school children when it comes to computer based personal authentication I would never say it to their faces as they simply wouldn't understand the context and scope it was meant in. You may reply that I'm not giving my users enough credit...Though that is another argument which I'm not going to go into.

Note that our users also contact us when they are in doubt...Though it is rare that a doubtful response comes back from their 'friend' or 'shiny' assessment of a seemingly (to them) authentic email.

Here is a message we sent to customers. Links were added for posting on Slashdot:

Everyone,

Don't use Microsoft Word. Use Open Office instead. This advice remains
effective until Microsoft releases a patch, and it is installed.

Microsoft just issued a security advisory [microsoft.com] warning people not to open
Microsoft Word documents unless they have the latest version of
Microsoft Word, which was just released, and costs [microsoft.com] $329 for the
upgrade, or $679 for the most powerful full version.

It's probably closer to the mark than "receive unexpectedly". If someone in a corporation became infected, and they infect documents on a shared network location -- game over. Other users don't have to "receive" it via a classic-email virus, but rather they just have to go about their daily business. You touched on this yourself, and it is why this does basically mean "there be dragons" for all word files in corporations.

It can't be triggered automatically, and limited accounts (like every Vista system) will be largely unaffected.

Phew! Now that we know that the burgeoning community of Vista users will be "largely unaffected", we're safe! That comprises the set that downloaded and installed the RTM from MSDN, so at a minimum, around an installed base comparable to QNX.

In any case, "largely unaffected" is more deceptive than the Slashdot summary (which came right from Cnet) -- the risk of compromises nowadays are seldom that they'll reconfigure your drivers or repartition your drive, thus requiring admin rights (when was the last time a virus was actually maliciously destructive in such a manner?), but rather that they'll compromise data integrity/security. If Bob is a normal user, but he's in HR and thus has rights to HR information, then so does an exploit running as Bob the unprivileged numbers-monkey.

It's not really deceptive, I often get attachments from almost everyone I regularly correspond with without expecting them first. Am I supposed to now call or email everyone I know every time they send me something to confirm that they intended to?

As for being hardly affected, it simply says LESS affected. What's to prevent the trojan from taking over your Outlook client and using it to send spam and propagate itself to everyone you know as well. Doesn't take root to do that, nor countless other things.

Yes, you absolutely did. There are no exploits running around in the wild affecting Macs. You can't cite a single real-world example. Not a single one.

What you conveniently leave out when you cited the long-ago debunked Mac mini hack is that the Mac was previously configured to give anyone an account who requested one, including full SSH access to poke around. Even the readers at Digg tore this one apart. Hardly the typical situation.

None of them are zero-day exploits?

Absolutely correct. None of them are being exploited at all.

Checking one of the UNIX utility vulnerabilities (because these are the only ones that we know when they were discovered) the perl vulnerability was discovered in December 2005.

With that perl vulnerability, and probably others in the list, it was discovered in 2005 and Apple only get around to releasing a patch now.

Which should tell you just how "urgent" it was to fix something that wasn't really a problem in the first place.

Look at the list above from Apple; you would have had to screen e-mail for HTML, new fonts, turn off your wireless card, not use any Windows shares, not go to any links to web pages given in e-mails, not go to any suspect web pages, etc, etc.

Lies, lies, and more lies. 100% false in every way imaginable.

The only difference is that Apple don't post security bulletins giving people warning, that might damage sales.

Uh, they do post security bulletins.

Have fun having a false sense of security though.

Ah, the old "false sense of security" canard, despite the fact THERE IS NOT A SINGLE EXPLOIT RUNNING IN THE WILD THAT IS INTRUDING ON A SINGLE MAC. You can't cite a single one. Go for it.

Do you have any other skewed, sliced-and-diced "facts" you want to post that I can debunk? Any articles you want to cite without revealing the full situation behind them? Clearly, you have some chip on your shoulder against Macs, but your shortcomings don't change the fact that there is not a single trojan or virus running the wild for Macs. Not one.

I doubt anyone is really this stupid, you must be a troll, but what the hell..

Yes, you absolutely did. There are no exploits running around in the wild affecting Macs. You can't cite a single real-world example. Not a single one.

"running around in the wild"? An exploit is a piece of code which can be used to exploit a vulnerability. One thing that the rm-my-mac-mini competition showed is that exploits have been written for undisclosed OS X vulnerabilities. If no exploits existed how could OS X's securit

As will OpenOffice.org on all platforms. That's not the point - how on earth can someone code so sloppily that a WORD PROCESSOR has a serious security exploit?! And more importantly, what feature in aforementioned WORD PROCESSOR requires *anything* that could pose a security issue?

Maybe the notion of writing all my papers in HTML wasn't so insane after all... no more of these archaic "pages", and it would certainly be a more reliable way of turning in assignments than e-mail attachments. Take care of a formatting stylesheet once, and from there on it's just using the <p> tag to full appropriateness.

how on earth can someone code so sloppily that a WORD PROCESSOR has a serious security exploit?!

The usual reason - a local buffer created from the stack set to a fixed size. ie.

char cbuf[MAX_BUFFER];

I would guess that the Microsoft Word document file will be arranged using a chunk data format:file header followed by object headers with type, version, length, followed by binary data for that objectIn this way, unknown chunks can just be skipped over.

It would be no surprise that each programmer coding a particular object (formula, table) would assume that onlythey would be theonly one writing read/write routines for their particular object, and choose to use a local stackbuffer to store the raw binary data, before converting it to the internal data structure.

When reading the document, they would just read the header as normal (type,version,length), then read the specifiedamount of object data without checking the validity of the length.

And it only takes one programmer to make this mistake in order to create a security vulnerability that compromisesthe entire application. Get the right type of data in the Word document, and you could theoretically load and executesome executable code stored the file.

Yeah, I really want to submit users to random hangs while the Java VM garbage collects itself. Not to mention that yes, speed does matter, so until you can actually show some evidence of real-life shrink-wrapped applications running just as fast on a VM as on the metal, I think we'll stick with C++ (trust me, repagination is a lot of work, and it's already bad enough in long documents).

Given the choice between random sub-second hangs and random crashes with occassional virus infection, I'll take the former any day. Besides, modern VMs compile everything to machine code prior to execution (JIT), so there shouldn't be any significant speed penalty to them - and there isn't, as far as I can tell.

And if you think Word's too complex and shouldn't be doing that much work, you know where to find notepad (or vi), but good luck making professional documents; I'm fairly certain that most of our 500 million customers will stick with Word.

trust me, repagination is a lot of work, and it's already bad enough in long documents

I don't use a word processor, I use LaTeX, which seems to have much better layout rules than any version of Word I have seen. The document I am working on is around 200 pages. Compiling it (including invoking gnuplot to draw a load of graphs, pulling in a few code files and syntax highlighting them, constructing an index and bibliography, and making sure all cross-references are correct) takes 7 seconds of wall time on my current laptop, and most of that is time spent waiting for I/O.

Oh, and much of the typesetting code used by LaTeX is written as interpreted macros that are run by the TeX runtime system. If it were all hard-coded, even in Java, it would be even faster.

Earlier this year, I saw a demo of a typesetting system written in Smalltalk (and running in the Squeak VM) that represented every character as an object, with simple rules (e.g. stay next to next character, jump to next line if you are over the margin, jump to the end of line if there is only whitespace between you and the end of line). It ran very fast; he dragged an image across a multi-page document, and the text re-flowed around it, and the entire thing was written in a couple of pages of Smalltalk.

If pagination is slow in Word, then I can only imagine it's because the developers need replacing.

I don't use a word processor, I use LaTeX, which seems to have much better layout rules than any version of Word I have seen. The document I am working on is around 200 pages. Compiling it (including invoking gnuplot to draw a load of graphs, pulling in a few code files and syntax highlighting them, constructing an index and bibliography, and making sure all cross-references are correct) takes 7 seconds of wall time on my current laptop, and most of that is time spent waiting for I/O.

If I can't even open my friends' documents then what am I - as a manager to do?

I don't know where you got your MBA, but the low-hanging fruit is there to be picked - in simple terms, you need to synergize new communications opportunities by leveraging existing facilities. Incentivize your staff to maximally capitalize on the benefits of an approach which unifies the output of global arboreal facilities, exsting team-member dexterity and some pens.

Could the problem be avoided by opening the any.doc files with OO.org? i'm assuming that the exploit will only work if the file is actually opened with word, so it would stand to reason that opening it with some other application would be safe. can anyone tell me why i'm wrong?

You sir, are spot on. Back when macro viruses were rampant, when word 6 would unexpectedly corrupt word documents and make them "unreadable," it was wordperfect to the rescue. The file conversion would strip any macro viruses, and would ignore formatting that it couldn't understand, compromised/corrupted files could be rescued, (and re-saved in word 6 format to begin the process again, because officially we are a microsoft only shop)

Seriously, please be a joke. This shit is going to be hell to try and explain to everyone at work, and then un-explain later, without totally fucking up all the investment in getting them to not infect their machines with all manner of crap.:(

Zero day [wikipedia.org]: At the time the details of the exploit are published (or the patch is released), there already is an active exploit being circulated. I guess if you don't know exactly when the exploit was released it's a technically "less than or equal to zero-day" exploit, but that doesn't sound as sexy.

It means that there is a working exploit out there in the wild, which is using a vulnerability that was previously unknown to the security community / the software maker. That is, there was zero days warning.

Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file.

If you send an email to Fred saying "Can you send me xxxx", and Fred replies, saying "Here it is", you can probably safely open the attachment. You should just exercise caution when Fred sends you an email out of the blue saying "Hey, read this would you?".

> If you send an email to Fred saying "Can you send me xxxx", and Fred replies, saying "Here it is",> you can probably safely open the attachment. You should just exercise caution when Fred sends you> an email out of the blue saying "Hey, read this would you?".Should Fred open my message "Can you send me xxxx" if it was not preceded by Fred's message "Can you send me your 'Can you send me xxxx'"?

Or should I pick up the phone to inform the Fred that I'm sending the "Can you send me xxxx" message to

Your guidance is wrong. "Probably" means more likely than not. According to Microsoft's own statistics Fred's XP workstation is "probably" a rooted, keylogging spambot zombie. His files safe? Get real.

On the other hand, your machine is "probably" exploited already too, so why not just give up? Everyone else has. It's not like anybody wants to read your boring data anyway, right? Besides, what are we to do? If we can't use Office, we might as well

> 'not open or save Word files,'Do they call it "The Evolution of Microsoft Office"?

> To help you understand more about the merits of Microsoft Office 2003, we are preparing the new series of FREE training courses for you.TRAINING COURSE - RULE#1: Don't open or save Word files!

> It's time for an evolution! Act now to take the Microsoft Office 2003 Training Courses and get rid of your current backward office!TRAINING COURSE - RULE#2: Since you cannot open/save your documents... get rid of your curre

I'm seeing this as a HUGE opportunity to start the text document revolution. You can get really creative with characters and create some really romantic notes with text. Chicks would surely go nuts for a guy who could create character-based graphics with text!

I'm not to worried about this because most users are aware of attachment exploits like this.

I'm sure the major spam firewalls will also have signatures in a relatively short period of time. If my email spam/virus firewall will stop this I'm fine.

For the home user it is a bit more of an issue. At the same time most people use Yahoo, MSN, Google or some other account that has active scanner that I'm sure will be able to block these in the short run...if not by analyzing the file by analyzing the subject line. Heck, chances are it'll look like spam to my firewall won't let it thru to begin with.

I do wish MS would put out the technical details of this exploit. It sounds like some sort of a buffer overflow. Something tells me it is a graphic insert of some sort, but who knows.

I'm sure the major spam firewalls will also have signatures in a relatively short period of time. If my email spam/virus firewall will stop this I'm fine.

And what do you do about the exploits already mailed to you, before the firewall suppliers figure out signatures and put them in place?

And if they don't successfully design signatures to catch ALL exploits of the flaw, what do you do about later stuff that exploits the flaw differently, and arrives in the window before signatures for THAT exploit are devel

Except that I have been saying that for years. MS Doc format is an untrustworthy format. It has been known to carry unexpected payloads in the past and there are alternatives which are known to be safer yielding similar if not identical results for most people. (And if someone thinks they actually NEED to have VBA in a word document, I'd have to suggest there's probably a better way to program your way out of the situation you find yourself in. I just haven't been able to think of a good reason to have programming code in a Word document and I haven't seen a good example either. Can anyone offer a reason good enough?

ODT works well... hell, for that matter RTF works well enough for most people.

At least there was a warning rather than 43 unannounced patches next Tuesday, I'll say that much for them. Its a shame that there is no patch yet though. Without saying how detrimental this will be for MS, I'm thinking that now I can't tell people that OOo is just like MS Office but free... now I have to tell them that its probably safer too. Ugggh, the people that want OOo and F/OSS software to be as good as MS Office and OS products really bug me, and this story is exactly why.

Ya, sure, MS is the biggest target, so gets more hacker attention. Just the same, being king of the hill is not easy, and F/OSS software makers should do their best to simply keep doing things well, rather than doing them 'just like MS does' as its not working out so good for Redmond today.

Do everything that 80+% of users want, do it very well, and let the Excel gurus and desktop publishing companies do the things for those other 12% or so. That's the biggest bang for buck right there. That 12% might be the biggest spenders, but they also don't care about the cost, or don't want to retrain or convert etc. ad nauseum.

you will be vindicated. I have stuck with Office 97, because I have never thought that any of the "improvements" that M$ has made in newer versions of Office were worth the price of a new program. It is now too old to be affected by the latest virus. Lord, this is sweet.

... without spreading FUD along with it. Microsoft did *not* say you shouldn't open documents "even from trusted sources". They said [microsoft.com]:

Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file.

I thought Zero-day refered to the first day that a vulnerability is publicly available. Start counting up from there. I've seen it used in every possible way though. Sometimes I gather people are refering to the day the patch was issued. Wikipedia doesn't really clear it up http://en.wikipedia.org/wiki/Zero_day [wikipedia.org]

JESUS H. CHRIST jumping a barbed wire fence, Slash editors. Who's letting these submissions across the wire? While slash is not a world-class journal or trade rag, it ought tot

Welcome, you must be new here!

They actually did say that, but you could claim the slashdot post was misquoted: "Recommendation: Do not open or save Word files that you receive from un-trusted or that are received unexpected from trusted sources. This vulnerability could be exploited when a user opens a file."